WHAT IS CLAIMED IS: 



1 1 . A method of annotating a computer program, comprising: 

2 a) applying a program checking tool to the computer program to produce one or more 

3 warnings; 

4 b) mapping at least one of said warnings into at least one annotation modification; 

5 c) modifying the computer program in accordance with said at least one annotation 

6 modification so that the number of annotations in the computer program changes, thereby 

7 producing a modified computer program; 

8 d) repeating each of steps a), b) and c) until no warnings produced in step a) are 

9 suitable for mapping into an annotation modification; and 

10 e) providing a user with the modified computer program in which is found at least one 

1 1 annotation. 

1 2. The method of claim 1 wherein at least a subset of said warnings are warnings about 

2 potential misapplications of primitive operations in the computer program. 

1 3 . The method of claim 2 wherein, prior to said mapping, said warnings about potential 

2 misapplications of primitive operations in the computer program are identified, and said 

3 modifying comprises inserting into the computer program at least one annotation that is 

4 produced by mapping at least one of said warnings about potential misapplications of 

5 primitive operations into an annotation modification. 

1 4. The method of claim 1 wherein, prior to said applying, a candidate set of heuristically 

2 derived annotations is inserted into the computer program. 

1 5 . The method of claim 4 wherein at least a subset of said warnings are warnings about 

2 inconsistencies between the computer program and one or more of the annotations. 

1 6. The method of claim 5 wherein said warnings about inconsistencies between the 

2 computer program and one or more of the annotations are identified, and said modifying 
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3 comprises removing from the computer program one of said heuristically derived annotations 

4 identified by said at least one annotation modification. 

1 7. The method of claim 4 wherein said set of candidate annotations comprises a 

2 candidate invariant for a variable f. 

1 8. The method of claim 4 wherein said set of candidate annotations comprises at least 

2 one candidate precondition for a procedure in said computer program. 

1 9. The method of claim 4 wherein said set of candidate annotations comprises at least 

2 one candidate postcondition for a procedure in said computer program. 

1 10. The method of claim 7 wherein said candidate invariant is of the form f != null. 

1 11. The method of claim 7 wherein said candidate invariant comprises an expression that 

2 includes a comparison operator. 

1 12. The method of claim 1 1 wherein said comparison operator is selected from the group 

2 consisting of: <, <=, =, !=, >= and >. 

1 13. The method of claim 1 1 wherein said expression includes an operand selected from 

2 the group consisting of: a variable declared earlier in a same class of the computer program; 

3 any one of the constants -1 5 0, 1; and a constant dimension in an array allocation expression in 

4 the computer program. 

1 14. The method of claim 1 wherein at least one of said warnings includes an explanation. 

1 15. The method of claim 1 wherein at least one of said annotations in said modified 

2 computer program includes an explanation. 

1 16. The method of claim 6 wherein said removing comprises commenting out one of said 

2 heuristically derived annotations from the computer program. 
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17. The method of claim 16 wherein said removing additionally comprises adding an 
explanatory comment into one of said heuristically derived annotations from the computer 
program. 

18. The method of Claim 3 wherein said annotation includes an explanatory comment. 

19. The method of Claim 1 wherein said program checking tool is a type checker. 

20. The method of Claim 1 wherein said program checking tool is an extended static 
checker. 

21 . The method of Claim 1 wherein said program checking tool comprises a verification 
condition generator and a theorem prover. 

22. A computer program product for use in conjunction with a computer system, the 
computer program product comprising a computer readable storage medium and a computer 
program mechanism embedded therein, the computer program mechanism comprising: 

a program checking tool for analyzing a computer program to produce one or more 
warnings; 

at least one warning mapper for mapping at least one of said warnings into at least one 
annotation modification; 

a program updater for updating the computer program in accordance with the 
annotation modification so that the number of annotations in the computer program changes; 
and 

control instructions for repeatedly invoking the program checking tool, warning 
mapper and program updater until no warnings produced by the program checking tool are 
suitable for mapping into an annotation modification. 

23. The computer program product of claim 22 wherein at least a subset of said warnings 
are warnings about potential misapplications of primitive operations. 
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1 24. The computer program product of claim 23, wherein said at least one warning mapper 

2 includes instructions for identifying said warnings about potential misapplications of 

3 primitive operations, and the program updater includes instructions for inserting into the 

4 computer program an annotation that the warning mapper produces by mapping at least one of 

5 said warnings about potential misapplications of primitive operations into an annotation 

6 modification. 

7 25. The computer program product of claim 22, further including a heuristic annotation 

8 generator for generating and inserting a candidate set of heuristically derived annotations into 

9 the computer program. 

1 26. The computer program product of claim 25 wherein at least a subset of said warnings 

h& 2 are warnings about inconsistencies between the computer program and one or more of the 

Si 3 annotations. 

JjP 1 27. The computer program product of claim 25 wherein the warning mapper includes 

fii 

bj 2 instructions for identifying said warnings about inconsistencies between the computer 

[ 3 program and one or more of the annotations, and the program updater includes instructions 

jy 4 for removing from the computer program one of said heuristically derived annotations 

Jp 5 identified by said annotation modification. 

1 28. The computer program product of claim 25 wherein said candidate set of annotations 

2 comprises a candidate invariant for a variable f. 

1 29. The computer program product of claim 28 wherein said candidate invariant 

2 comprises an expression that includes a comparison operator. 

1 30. The computer program product of claim 29 wherein said comparison operator is 

2 selected from the group consisting of: <, <=, =, !=, >= and >. 

1 31. The computer program product of claim 29 wherein said expression includes an 

2 operand selected from the group consisting of: an earlier declared variable in a same class of 
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3 
4 



the computer program; any one of the constants 
allocation expression in the computer program. 



-1,0, 1; and a constant dimension in an array 



1 32. The computer program product of claim 27 wherein said instructions for removing 

2 comprise instructions for commenting out one of said heuristically derived annotations from 

3 the computer program. 

1 33. The computer program product of claim 22 wherein said program checking tool is a 

2 type checker. 

1 34. The computer program product of claim 22 wherein said program checking tool is an 

2 extended static checker. 



O 1 35. The computer program product of claim 22 wherein said program checking tool 

j^- 2 comprises a verification condition generator and a theorem prover. 

jUj 1 36. A system for annotating a computer program with at least one annotation, the system 

2 comprising: 

[H 3 at least one memory, at least one processor and at least one user interface, all of which 

•L.J 

| 4 are connected to one another by at least one bus; 

jll 5 wherein said at least one processor is configured to: 

6 annotate the computer program with at least one annotation; 

7 apply a program checking tool to the computer program to produce one or more 

8 warnings; 

9 map at least one of said warnings into at least one annotation modification; 

10 modify the computer program in accordance with the annotation modification so that 

1 1 the number of annotations in the computer program changes; and 

12 repeat applying the program checking tool, mapping said warnings and modifying the 

13 program until no warnings produced by the program checking tool are suitable for mapping 

14 into an annotation modification. 
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1 37. The system of claim 36 wherein at least a subset of said warnings are warnings about 

2 potential misapplications of primitive operations. 

1 38. The system of claim 37, wherein said at least one processor identifies said warnings 

2 about potential misapplications of primitive operations, and inserts into the computer program 

3 an annotation that a warning mapper produces by mapping at least one of said warnings about 

4 potential misapplications of primitive operations into an annotation modification. 

5 39. The system of claim 36, wherein said at least one processor further causes a heuristic 

6 annotation generator to generate a candidate set of heuristically derived annotations. 

1 40. The system of claim 38 wherein at least a subset of said warnings are warnings about 

Si 2 inconsistencies between the computer program and one or more of the annotations. 

Ui 1 41 . The system of claim 39 wherein the at least one processor removes from the computer 

m 2 program one of said heuristically derived annotations identified by said annotation 

,= - 5 

^ 3 modification. 

Jij 1 42. The system of claim 39 wherein said candidate set of annotations comprises a 

£ 2 candidate invariant for a variable f. 

o 

1 43. The system of claim 42 wherein said candidate invariant comprises an expression that 

2 includes a comparison operator. 

1 44. The system of claim 43 wherein said comparison operator is selected from the group 

2 consisting of: <, <=, =, !=, >= and >. 

1 45. The system of claim 43 wherein said expression includes an operand selected from the 

2 group consisting of: an earlier declared variable in a same class of the computer program; any 

3 one of the constants -1, 0, 1; and a constant dimension in an array allocation expression in the 

4 computer program. 
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1 46. The system of claim 41 wherein the at least one processor comments out one of said 

2 heuristically derived annotations from the computer program. 

1 47. The system of claim 36 wherein said program checking tool is a type checker. 

1 48. The system of claim 36 wherein said program checking tool is an extended static 

2 checker. 

1 49. The system of claim 36 wherein said program checking tool comprises a verification 

2 condition generator and a theorem prover. 

1 50. A method of annotating a computer program, comprising: 

t 2 a) applying a program checking tool to the computer program to produce one or more 

O 3 warnings about potential misapplications of primitive operations in the computer program; 

m. 4 b) mapping at least one of said warnings into at least one annotation modification; 

!jf 5 C ) inserting into the computer program said at least one annotation modification, 

5 IS? 

W 6 thereby producing a modified computer program; 

jliL 7 d) repeating each of a), b) and c) until no new warnings are produced in a) that are 

K 8 suitable for mapping into an annotation modification; and 

£ 9 e ) providing a user with the modified computer program in which is found at least one 

h* 10 annotation. 

1 51. A method of annotating a computer program, comprising: 

2 a) inserting a candidate set of annotations into the computer program by employing a 

3 heuristic analysis of the computer program; 

4 b) applying a program checking tool to the computer program to produce one or more 

5 warnings about inconsistencies between the computer program and one or more of the 

6 annotations; 

7 c) mapping at least one of said warnings into at least one annotation modifications; 

8 d) removing from the computer program an annotation, from said set of candidate 

9 annotations, that is mentioned by at least one of said warnings, thereby producing a modified 
1 0 computer program; 
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e) repeating each of b), c) and d) until no new warnings are produced in b) that are 
suitable for mapping into an annotation modification; and 

f) providing a user with the modified computer program in which is found at least one 
annotation. 
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